<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Django 1.4.8 release notes &mdash; Django 1.7.8.dev20150401230226 documentation</title>
    
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.7.8.dev20150401230226',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="top" title="Django 1.7.8.dev20150401230226 documentation" href="../index.html" />
    <link rel="up" title="Release notes" href="index.html" />
    <link rel="next" title="Django 1.4.7 release notes" href="1.4.7.html" />
    <link rel="prev" title="Django 1.4.9 release notes" href="1.4.9.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head>
  <body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.4.9.html" title="Django 1.4.9 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.4.7.html" title="Django 1.4.7 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.4.8">
            
  <div class="section" id="s-django-1-4-8-release-notes">
<span id="django-1-4-8-release-notes"></span><h1>Django 1.4.8 release notes<a class="headerlink" href="#django-1-4-8-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>September 14, 2013</em></p>
<p>Django 1.4.8 fixes two security issues present in previous Django releases in
the 1.4 series.</p>
<div class="section" id="s-denial-of-service-via-password-hashers">
<span id="denial-of-service-via-password-hashers"></span><h2>Denial-of-service via password hashers<a class="headerlink" href="#denial-of-service-via-password-hashers" title="Permalink to this headline">¶</a></h2>
<p>In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allowed a denial-of-service attack through
submission of bogus but extremely large passwords, tying up server
resources performing the (expensive, and increasingly expensive with
the length of the password) calculation of the corresponding hash.</p>
<p>As of 1.4.8, Django&#8217;s authentication framework imposes a 4096-byte
limit on passwords and will fail authentication with any submitted
password of greater length.</p>
</div>
<div class="section" id="s-corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin">
<span id="corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin"></span><h2>Corrected usage of <a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><tt class="xref py py-func docutils literal"><span class="pre">sensitive_post_parameters()</span></tt></a> in <a class="reference internal" href="../topics/auth/index.html#module-django.contrib.auth" title="django.contrib.auth: Django's authentication framework."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.auth</span></tt></a>’s admin<a class="headerlink" href="#corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin" title="Permalink to this headline">¶</a></h2>
<p>The decoration of the <tt class="docutils literal"><span class="pre">add_view</span></tt> and <tt class="docutils literal"><span class="pre">user_change_password</span></tt> user admin
views with <a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><tt class="xref py py-func docutils literal"><span class="pre">sensitive_post_parameters()</span></tt></a>
did not include <a class="reference internal" href="../ref/utils.html#django.utils.decorators.method_decorator" title="django.utils.decorators.method_decorator"><tt class="xref py py-func docutils literal"><span class="pre">method_decorator()</span></tt></a> (required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
<a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><tt class="xref py py-func docutils literal"><span class="pre">sensitive_post_parameters()</span></tt></a> will now
throw an exception if it&#8217;s improperly used.</p>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.4.8 release notes</a><ul>
<li><a class="reference internal" href="#denial-of-service-via-password-hashers">Denial-of-service via password hashers</a></li>
<li><a class="reference internal" href="#corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin">Corrected usage of <tt class="docutils literal"><span class="pre">sensitive_post_parameters()</span></tt> in <tt class="docutils literal"><span class="pre">django.contrib.auth</span></tt>’s admin</a></li>
</ul>
</li>
</ul>

  <h3>Browse</h3>
  <ul>
    
      <li>Prev: <a href="1.4.9.html">Django 1.4.9 release notes</a></li>
    
    
      <li>Next: <a href="1.4.7.html">Django 1.4.7 release notes</a></li>
    
  </ul>
  <h3>You are here:</h3>
  <ul>
      <li>
        <a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a>
        
          <ul><li><a href="index.html">Release notes</a>
        
        <ul><li>Django 1.4.8 release notes</li></ul>
        </li></ul>
      </li>
  </ul>

  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../_sources/releases/1.4.8.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Apr 02, 2015</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.4.9.html" title="Django 1.4.9 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.4.7.html" title="Django 1.4.7 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>